cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2582
Views
0
Helpful
4
Replies

WAP 561 Web Browsing only

smcnallie
Level 1
Level 1

I am looking for some help configuring a Cisco WAP 561 to only allow web browsing.  Currently, I am able to configure an ACL deny specific ports.  I set the rules to deny the ports and the last rule allows everything.  This works ok, but I can only configure 10 rules.

I would rather set it to only allow port 80 and 443.  Is there a way to do this?  If so, i'm having no luck figuring it out.

Also, the WAP561 does not have a command line interface. Only web configuration.

Below is what I have configured.  I am denying share drives, remote desktop, and some specific internal IPs. 

<acl name="GuestAccess">

<acl-type>ipv4</acl-type>

<in-use>1</in-use>

</acl>

<rule>

<acl-name>GuestAccess</acl-name>

<acl-type>ipv4</acl-type>

<action>deny</action>

<protocol>tcp</protocol>

<dst-port>135</dst-port>

<index>19</index>

<commit>3</commit>

<rule-index>1</rule-index>

</rule>

<rule>

<acl-name>GuestAccess</acl-name>

<acl-type>ipv4</acl-type>

<action>deny</action>

<protocol>tcp</protocol>

<dst-port>445</dst-port>

<index>20</index>

<commit>3</commit>

<rule-index>2</rule-index>

</rule>

<rule>

<acl-name>GuestAccess</acl-name>

<acl-type>ipv4</acl-type>

<action>deny</action>

<protocol>udp</protocol>

<dst-port>137</dst-port>

<index>21</index>

<commit>3</commit>

<rule-index>3</rule-index>

</rule>

<rule>

<acl-name>GuestAccess</acl-name>

<acl-type>ipv4</acl-type>

<action>deny</action>

<protocol>udp</protocol>

<dst-port>138</dst-port>

<index>22</index>

<commit>3</commit>

<rule-index>4</rule-index>

</rule>

<rule>

<acl-name>GuestAccess</acl-name>

<acl-type>ipv4</acl-type>

<action>deny</action>

<protocol>tcp</protocol>

<dst-port>3389</dst-port>

<index>23</index>

<commit>3</commit>

<rule-index>5</rule-index>

</rule>

<rule>

<acl-name>GuestAccess</acl-name>

<acl-type>ipv4</acl-type>

<action>deny</action>

<protocol>ip</protocol>

<dst-ip>192.168.24.16</dst-ip>

<dst-ip-mask>0.0.0.0</dst-ip-mask>

<index>24</index>

<commit>3</commit>

<rule-index>6</rule-index>

</rule>

<rule>

<acl-name>GuestAccess</acl-name>

<acl-type>ipv4</acl-type>

<action>deny</action>

<protocol>ip</protocol>

<dst-ip>192.168.25.164</dst-ip>

<dst-ip-mask>0.0.0.0</dst-ip-mask>

<index>25</index>

<commit>3</commit>

<rule-index>7</rule-index>

</rule>

<rule>

<acl-name>GuestAccess</acl-name>

<acl-type>ipv4</acl-type>

<action>permit</action>

<every>yes</every>

<index>26</index>

<commit>3</commit>

<rule-index>8</rule-index>

</rule>

<acl name="GuestAccess">

<acl-type>ipv4</acl-type>

<in-use>1</in-use>

</acl>

<rule>

<acl-name>GuestAccess</acl-name>

<acl-type>ipv4</acl-type>

<action>deny</action>

<protocol>tcp</protocol>

<dst-port>135</dst-port>

<index>19</index>

<commit>3</commit>

<rule-index>1</rule-index>

</rule>

<rule>

<acl-name>GuestAccess</acl-name>

<acl-type>ipv4</acl-type>

<action>deny</action>

<protocol>tcp</protocol>

<dst-port>445</dst-port>

<index>20</index>

<commit>3</commit>

<rule-index>2</rule-index>

</rule>

<rule>

<acl-name>GuestAccess</acl-name>

<acl-type>ipv4</acl-type>

<action>deny</action>

<protocol>udp</protocol>

<dst-port>137</dst-port>

<index>21</index>

<commit>3</commit>

<rule-index>3</rule-index>

</rule>

<rule>

<acl-name>GuestAccess</acl-name>

<acl-type>ipv4</acl-type>

<action>deny</action>

<protocol>udp</protocol>

<dst-port>138</dst-port>

<index>22</index>

<commit>3</commit>

<rule-index>4</rule-index>

</rule>

<rule>

<acl-name>GuestAccess</acl-name>

<acl-type>ipv4</acl-type>

<action>deny</action>

<protocol>tcp</protocol>

<dst-port>3389</dst-port>

<index>23</index>

<commit>3</commit>

<rule-index>5</rule-index>

</rule>

<rule>

<acl-name>GuestAccess</acl-name>

<acl-type>ipv4</acl-type>

<action>deny</action>

<protocol>ip</protocol>

<dst-ip>192.168.24.16</dst-ip>

<dst-ip-mask>0.0.0.0</dst-ip-mask>

<index>24</index>

<commit>3</commit>

<rule-index>6</rule-index>

</rule>

<rule>

<acl-name>GuestAccess</acl-name>

<acl-type>ipv4</acl-type>

<action>deny</action>

<protocol>ip</protocol>

<dst-ip>192.168.25.164</dst-ip>

<dst-ip-mask>0.0.0.0</dst-ip-mask>

<index>25</index>

<commit>3</commit>

<rule-index>7</rule-index>

</rule>

<rule>

<acl-name>GuestAccess</acl-name>

<acl-type>ipv4</acl-type>

<action>permit</action>

<every>yes</every>

<index>26</index>

<commit>3</commit>

<rule-index>8</rule-index>

</rule>

4 Replies 4

jeffrrod
Level 4
Level 4

Hi Shane,

Thank you for reaching the Small Business Support Community.

Notice there is an implicit “deny” at the end of every ACL, so what I suggest doing is just create one ACL with two rules; to “permit” TCP 80 and 443 respectively where the implicit “deny” will block everything else. Something like this:

Just in case please refer to the admin guide, page 111, for details;

http://www.cisco.com/en/US/docs/wireless/access_point/csbap/wap5x1/administration/guide/WAP551_561_admin_guide.pdf

Please do not hesitate to reach me back if there is any further assistance I may help you with.

Kind regards,

Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer

*Please rate the Post so other will know when an answer has been found.

Jeffrey Rodriguez S. .:|:.:|:. Cisco Customer Support Engineer *Please rate the Post so other will know when an answer has been found.

Jeff and Shane,

Creating a rule for 80 and 443 will allow you to web browse but will not allow DHCP or DNS resolution.  I suggest creating 4 rules similar to below.

ipv4

1

Guest-Access

ipv4

permit

ip

80

1

3

1

Guest-Access

ipv4

permit

tcp

443

2

3

2

Guest-Access

ipv4

permit

udp

67

3

3

3

Guest-Access

ipv4

permit

udp

53

4

3

4


ipv4
1

This allows wireless guest access to dhcp, dns, and web browsing.  There is an implicit deny at the end of each rule so there is no need to specifiy one.  Hope this helps.  FYI I'm using the latest firmware for the WAP561.

Thanks for the replies.  I've tried setting the rules above, permitting tcp 80, tcp 443, udp 67, udp 53.  It still isn't working.  I can connect to the wap, but it says "no internet access". 

There may be some other settings I have set wrong:

  1. When I set these rules up, do I need to specify anything in Source IP address or Destination IP Address? I'm just specifying Destination ports right now. 
  2. Do I check "Client QoS mode" in Global Settings?
  3. Do I use ACL Type Down/ACL Name Down or ACL Type Up/ACL Name Up?  Or both? 

To answer your questions

     1.  You do not need to input anything in the source and destination unless you wish to have the guest use specific DNS servers.  Basically you are allowing based on protocol only.

     2.  Client QoS mode must be checked/Enabled as it controls all ACLs, rate limiting, and DiffServ configurations.

     3.  You would use ACL Up with this ACL.  ACL Up is communications originating from the guest end point (client to WAP)

This should work for you.  I implemented this last week on my WAP 561.

Hope this helps.